TeamPCP backdoors Checkmarx Jenkins AST plugin version 2026.5.09; SANDCLOCK exfiltrates CI/CD secrets (2026-05-09 to 2026-05-10)

Current state: SentinelLabs documented PCPJack on 2026-05-07 as a worm-class framework that evicts and deletes existing TeamPCP artefacts on compromise (giving the framework its name), then deploys six Python modules harvesting credentials from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). Propagation targets are pulled from Common Crawl Parquet files rather than ad-hoc scanning — far broader curated attack surface than typical opportunistic worms. Weaponises five public CVEs simultaneously (CVE-2025-29927 Next.js, CVE-2025-55182 React2Shell, CVE-2026-1357 WPVivid, CVE-2025-9501 W3 Total Cache, CVE-2025-48703 CWP). The TeamPCP → PCPJack succession overlay is the operational specific worth tracking: SentinelLabs explicitly states there is no evidence yet of a direct operator-level connection, while the eviction logic implies operators familiar with TeamPCP's target population. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08 · daily 2026-05-10). The earlier TeamPCP "Mini Shai-Hulud" SAP CAP npm worm (covered 2026-05-06) used Claude Code SessionStart hooks and VSCode tasks for propagation — that thread is separate from PCPJack's CVE-chain propagation but the same operator population is tracked.

UPDATE (TeamPCP / mini-shai-hulud first covered 2026-05-07; PCPJack worm covered 2026-05-10; this is a distinct new artefact in the same actor ecosystem): On 2026-05-09–10 (UTC) TeamPCP (UNC6780) published a backdoored build of the Checkmarx Jenkins AST plugin (version 2026.5.09, marketed under the actor's signature naming "Checkmarx-Fully-Hacked-by-TeamPCP") to the Jenkins Marketplace. Any Jenkins instance configured to auto-update the AST plugin during that window pulled the malicious build and executed the SANDCLOCK credential stealer in the runner context (Checkmarx — Ongoing Security Updates, last updated 2026-05-09; The Hacker News, 2026-05-11; SecurityWeek, 2026-05-11).

SANDCLOCK targets every secret reachable from a typical CI/CD pipeline environment: GitHub Personal Access Tokens, AWS / Azure / GCP credentials, Kubernetes service-account tokens, Docker / OCI registry credentials, SSH keys, and Checkmarx One API tokens. Affected pipelines should be treated as full secrets-compromise events: every credential the runner could read must be rotated and any artefact built or deployed in the window audited. Checkmarx's ongoing-security-updates page specifies plugin version 2.0.13-829.vc72453fa_1c16 (published December 2025) as the safe pinned version; a CVE has been issued as CVE-2026-33634 per the Checkmarx advisory. This is the third Checkmarx-product supply-chain compromise by this actor in three months, after the March 2026 KICS Docker image and the April 2026 VS Code extension defacement — the cadence and the actor's naming convention indicate persistent targeting of the Checkmarx product line specifically, not opportunistic distribution-channel abuse.

Mapped to T1195.002 Compromise Software Supply Chain and T1552.001 Credentials In Files. The GTIG AI Threat Tracker (see § 5) attributes SANDCLOCK specifically to TeamPCP and flags the stealer as explicitly designed to harvest LLM API keys in addition to traditional cloud credentials — consistent with the actor's pivot to monetising stolen LLM access. Defender pivot: inventory every Jenkins plugin auto-update enabled across CI/CD estates; constrain runners to short-lived OIDC-federated credentials (no long-lived PATs in runner env) where the platform supports it; audit Checkmarx One API logs for unexpected source IPs since 2026-05-09.

SentinelLabs documented PCPJack on 2026-05-07, a worm-class framework that propagates across exposed cloud and web infrastructure by chaining five public CVEs simultaneously: CVE-2025-29927 (Next.js middleware authorisation bypass via crafted header), CVE-2025-55182 ("React2Shell" — Server Actions deserialisation in React/Next.js), CVE-2026-1357 (unauthenticated file upload in WPVivid Backup), CVE-2025-9501 (PHP injection in W3 Total Cache via the mfunc comment processor) and CVE-2025-48703 (shell injection in the CentOS Web Panel FileManager) (SentinelLabs, 2026-05-07 · The Hacker News, 2026-05-07 · SecurityWeek, 2026-05-08). The bootstrap shell script first evicts and deletes existing TeamPCP artefacts from the host (giving the framework its name), then deploys six Python modules covering credential extraction from Docker, Kubernetes, Redis, MongoDB, RayML, and dozens of cloud / SaaS services (AWS, Azure, GCP, GitHub, Slack, HashiCorp Vault, 1Password). A second-stage tooling drops Sliver C2 beacons.

Exfiltration uses Telegram channels with ChaCha20-Poly1305 encryption; propagation target lists are pulled from Common Crawl Parquet files rather than scanned ad-hoc, which gives the campaign a far broader and more curated attack surface than typical opportunistic scanning. Unlike TeamPCP and TeamTNT which monetise via cryptominers, PCPJack drops no miner — SentinelLabs assesses monetisation as credential fraud, spam, access resale, or extortion (SentinelLabs, 2026-05-07). SentinelLabs notes TTP overlap with TeamPCP and frames PCPJack as a possible former affiliate or breakaway operation. Defenders running self-hosted Next.js, React-server-actions stacks, WordPress with WPVivid Backup or W3 Total Cache, or CentOS Web Panel with internet-reachable FileManager should treat all five CVEs as actively weaponised.